By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

intents or potential vulnerabilities within closed binary files. With the right tools and a little know-how, it's a surprisingly straightforward undertaking for information security professionals to sniff out security weaknesses, such as format strings, buffer overflows and unrestricted permissions in Android applications.

First, you need to be familiar with the anatomy of an Android application. Android code is typically Java, and the application is delivered as an Android package (APK) using a compressed file format such as ZIP (though the extension is renamed .apk). Once unzipped, the root directory will contain folders with the application resources, along with a signature file. Every Android application root directory must also contain a binary XML file named AndroidManifest.xml, which communicates essential information about the application to the Android system.

Access the Android APK from a phoneBefore you begin reverse engineering the application, you'll want to back it up to an SD card. There are a number of tools you can use to do this, including APKoptic and Astro File Manager with Cloud. (For this demo, we'll be using the free Santoku-Linux distribution, which includes open source security tools and utilities for analyzing Android applications.)As shown in Figure 1 to start accessing the Android APK, you'll run two commands using the Android Debug Bridge (adb) tool:

adb shell pm list packages

adb pull /data/app/package-name-1.apk

Figure 1. To get the Android package from a device, you can use tools such as Android Debug Bridge to run a list packages command. (Source: viaForensics)

Get the APK from GoogleYou can also download the Android APK from Google Play. There are two ways to do this:

Disassemble the APKTo start taking apart the application, you'll first need the Android-apktool, an open source multi-platform utility that will allow you to decode resources to their original form and rebuild after modification. It can transform Android’s binary Dalvik bytecode (classes.dex) into Smali source code as shown in Figure 2. Smali is an assembler code for the DEX (Dalvik EXecutable) format used by the Dalvik Virtual Machine, an integral part of the Android which runs the applications on the operating system.

Translate the APK to JavaTo decompile the Android APK, you'll want to use the dex2jar tool, which converts Dalvik bytecode (DEX) to Java bytecode (Java Archive file format also known as JAR). This allows you to use any existing Java decompiler with the resulting JAR file. (See Figure 3.)

Transforming DEX to JAR loses important metadata useful to the decompiler. Pure Dalvik decompilers go directly from DEX to Java and thus produce better results. There aren't as many choices for Android decompilers, but useful ones include:

Analyze code for vulnerabilitiesAnd that's it. The reverse engineering is complete. The Java code is now accessible, allowing you to check it against known malware databases and run scripts to detect malicious code.

About the author: Andrew Hoog is CEO and co-founder of viaForensics. As a mobile security researcher and computer scientist, he has spoken at major banking, security and forensic conferences. He is the author of two books on security, iPhone and iOS Forensics and Android Forensics, and has two patents pending in the areas of forensics and data recovery. Mr. Hoog holds a bachelor of arts degree in computer science from Saint Louis University and is completing a master of business administration degree from University of Chicago’s Booth School of Business.

0 comments

E-Mail

Username / Password

Password

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy